Access Control Based on User and Service

1. A method implemented in a first computing device, the method comprising: identifying, via the first computing device, a user permitted to access a resource via a user token; identifying a service through which the user is permitted to access the resource via a service token; combining the user token and the service token into a single token by deconstructing the user token and the service token into a respective component part such that each respective part is reconstructed into the single token, the combined single token indicating the user permitted to access the resource and the service through which the user is permitted to access the resource; identifying a type of access to the resource without receiving a request for a particular type of access; and generating an access control entry indicating that the user, through the service, is permitted the type of access to the resource based, at least in part, on the combined single token.

2. A method as recited in claim 1 , further comprising storing the access control entry in an access control list corresponding to the resource.

3. A method as recited in claim 2 , wherein the access control list includes multiple access control entries, each of the multiple access control entries corresponding to the user, and each of the multiple access control entries corresponding to a different one of multiple services.

4. A method as recited in claim 2 , wherein the access control list includes an additional access control entry corresponding to a different user, the additional access control entry being independent of any service.

5. A method as recited in claim 1 , wherein both the resource and the service are included in the first computing device, and further comprising receiving the service token from an identity validation service of a second computing device.

6. A method as recited in claim 1 , wherein the resource comprises a file in a file system of the first computing device.

7. A method as recited in claim 1 , further comprising providing to another component or module an indication of whether a request to access the resource is permitted.

8. A method implemented in a first computing device, the method comprising: receiving a request for a particular type of access to a resource; identifying, via a user token, a user associated with the request; identifying, via a service token, a service through which the request is made, the service including a program or an application; combining, via the first computing device, the user token and the service token into a single token, the combining including deriving a single identifier for the single token from an identifier of the user token and an identifier of the service token; identifying, via the single identifier for the single token, both the user and the service in an access control entry of an access control list corresponding to the resource; and determining, using the access control entry, whether the particular type of access to the resource is permitted based at least in part on the combined single token that indicates both the user associated with the request and the service through which the request is made.

9. A method as recited in claim 8 , wherein the access control list includes multiple access control entries, each of the multiple access control entries corresponding to the user, and each of the multiple access control entries corresponding to a different one of multiple services.

10. A method as recited in claim 8 , wherein the access control list includes an additional access control entry corresponding to a different user, the additional access control entry being independent of any service.

11. A method as recited in claim 8 , wherein identifying the user comprises obtaining an identifier of the user from the user token received from the service, and wherein identifying the service comprises obtaining an identifier of the service from the service token received from the service.

12. A method as recited in claim 8 , wherein the user is authenticated to the service by a trusted third party.

13. A method as recited in claim 8 , further comprising returning an indication to the service of whether the particular type of access to the resource is permitted.

14. A method as recited in claim 8 , wherein the resource is included in the first computing device, the service is included in the first computing device, and receiving the request comprises receiving the request from a resource access module in a second computing device.

15. A method as recited in claim 8 , wherein identifying the user associated with the request is based at least in part on the user token received by the service from an identity validation service trusted by the first computing device.

16. A method as recited in claim 8 , wherein the combined single token is stored in an access control module of the first computing device.

17. A method as recited in claim 8 , responsive to determining that the particular type of access to the resource is not permitted, presenting an indication of one or more other services through which the request is permitted.

18. A method as recited in claim 8 , wherein the resource comprises a file in a file system of the first computing device.

19. A method as recited in claim 8 , wherein the resource comprises an entry in a database of the first computing device.

20. One or more computer hardware storage media having stored thereon multiple instructions execution of which cause one or more processors of a computing device to: receive a request for access to a resource of the computing device via a first service, the first service including a program or an application; responsive to verification of user credentials associated with the request, generating a single operator for storage in an access control list indicative of a user permitted to access the resource and a first service through which the user is permitted to access the resource; determine, based at least in part on the single operator stored as a first access control entry of the access control list that corresponds to the resource, that access to the resource is not permitted via the first service; responsive to determining that access to the resource is not permitted via the first service, determine that access to the resource is permitted via a second service based on a second access control entry of the access control list that corresponds to the resource, the second access control entry identifying, as another single operator, both the user associated with the request and the second service; and provide an indication that the second service permits access to the resource.

21. A system comprising: one or more modules implemented at least partially in hardware, the one or more modules configured to perform operations comprising: identifying, via the one or more modules, a user permitted to access a resource via a user token; identifying a service through which the user is permitted to access the resource via a service token; combining the user token and the service token into a single token by deconstructing the user token and the service token into a respective component part such that each respective part is reconstructed into the single token, the combined single token indicating the user permitted to access the resource and the service through which the user is permitted to access the resource; identifying a type of access to the resource without receiving a request for a particular type of access; and generating an access control entry indicating that the user, through the service, is permitted the type of access to the resource based, at least in part, on the combined single token.

22. A system comprising: one or more modules implemented at least partially in hardware, the one or more modules configured to perform operations comprising: receiving a request for a particular type of access to a resource; identifying, via a user token, a user associated with the request; identifying, via a service token, a service through which the request is made, the service including a program or an application; combining, via the one or more modules, the user token and the service token into a single token, the combining including deriving a single identifier for the single token from an identifier of the user token and an identifier of the service token; identifying, via the single identifier for the single token, both the user and the service in an access control entry of an access control list corresponding to the resource; and determining, using the access control entry, whether the particular type of access to the resource is permitted based at least in part on the combined single token that indicates both the user associated with the request and the service through which the request is made.

23. A system comprising: one or more modules implemented at least partially in hardware, the one or more modules configured to perform operations comprising: receiving a request for access to a resource of a computing device via a first service, the first service including a program or an application; responsive to verification of user credentials associated with the request, generating a single operator for storage in an access control list indicative of a user permitted to access the resource and a first service through which the user is permitted to access the resource; determining, based at least in part on the single operator stored as a first access control entry of the access control list that corresponds to the resource, that access to the resource is not permitted via the first service; responsive to determining that access to the resource is not permitted via the first service, determining that access to the resource is permitted via a second service based on a second access control entry of the access control list that corresponds to the resource, the second access control entry identifying, as another single operator, both the user associated with the request and the second service; and providing an indication that the second service permits access to the resource.